[Snort-users] Question about stream4

Hendo hendo at ...3663...
Fri Nov 19 06:07:26 EST 2004


My company has a mainframe and it is always terminating connections in a
way that trips snorts stream4 preprocessor.


It always either sets the PSH Flag with RST or even the ACK PSH RST.

This causes a stream4 stealth activity alert.

I want to keep monitoring the mainframe, so a filter is not suitable.


I wish stream4 had some configurability to ignore that flag combo from
that particular address.


Ideas welcome.


Thanks

Dennis





More information about the Snort-users mailing list